Context: NITI Aayog, the Government’s main think-tank, last month released a discussion paper on a new data-sharing framework.
Concerns of misuse, security, and privacy violations
- Increase in data breaches:
- In 2019, in the United States, an advanced tech market, there were 1,473 instances of data breaches
- Slow Response: A 2020 study of 17 geographies done by Ponemon Institute for IBM Security shows India to be the fourth-worst in the time taken to identify and contain a data breach.
- Lack of consumer education: In India, the lack of consumer education has created issues even with money transfer, which most users approach with greater caution.
- Systemic failure in maintaining safeguards.
Data Sharing and Economic growth
- Positive Correlation: In most countries, data sharing has driven economic growth and innovation.
Legislative Provisions and Evolution of Data Protection in India:
- In 2000: The Information Technology Act 2000 offered some data protection.
- In 2010: First Aadhar number issued - kickstarted nationwide debate on data protection and privacy.
- In 2012: eKYC launched; first large scale, state-driven consent-based sharing of data.
- In 2015: DigiLocker launched; expanded consent-based data sharing of documents and certificates.
- In 2017: DEPA was unveiled, Supreme Court declares privacy as a Fundamental Right.
- In 2018: Justice B N Srikrishna Committee submits its report and draft law on data protection.
- In 2019: Account aggregator model launched.
Benefits of Data Empowerment and Protection Architecture (DEPA)
- Positive Correlation with economic growth: In most countries, data sharing has driven economic growth and innovation.
- From super apps in China to banks in the US, to fintech companies in Africa.
- Financial Inclusion: seeks to accelerate financial Inclusion by advocating the sharing of data by users
- Challenges current global thinking about data protection:
- European philosophy, which is geared towards protecting user data often at the cost of business innovations –
- DEPA says this approach would be counterproductive for India, a developing country.
- The American way, which is geared towards tech businesses, and innovations, but raises questions on whether they have too much power and if they will use it responsibly-
- DEPA seeks to address this by defining who has access to data and by making user consent the key.
- Managing the user consent: DEPA proposes a new set of entities to manage user consent called account aggregators
- While account aggregators will manage the flow of user data, they won’t have access to it
- DEPA, however, doesn’t cover data misuse by the giver (here, banks) or receiver (here, robot advisors).
Conclusion: Even when data-protection frameworks look alike, how well they work depends on the technical, legal and institutional capacities of different countries.